On Sat, Aug 8, 2015 at 9:06 PM, greg boyd <[log in to unmask]> wrote:
> Hi everyone -
>
> the selinux boolean is now called nis_enabled. I think allow_ypbind is still
> accepted, but not published in the getsebool -a list.
> We use ypbind behind a firewall for our linux accounts on a protected subnet
> (clients: SL7, server: SL6.6) without any problems. It is super easy to set
> up and maintain for an environment with a thousand accounts, 30 client
> machines, and many account changes nightly and where we use NFS-mounted home
> directories. Those qualities make automation with LDAP much more difficult.
>
> I know its security is poor, but here's a few suggestions to help at least a
> bit with the most onerous security issues:
>
> restrict uid/gid subset you export
> dont publish the shadow map
> restrict who can connect using the securenets file
>
> If anyone else has any words of wisdom to try to help tighten NIS in these
> environments (other than 'why are you still using it?') I'd love to hear it.

Manage accounts through NIS, provide authentication through Kerberos.
And separate the "passwd" and "group" files on the NIS server from the
NIS servers own passwd and group files: this lets you put them in a
separated directory, say /var/yp, that you can put under source
control to record changes.